Access to add and change pages is restricted. See: https://cwiki.apache.org/confluence/display/OFBIZ/Wiki+access

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 19 Next »

Pre Gradle version

This page document the usage with Gradle, the pre-Gradle documentation is here: https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=65865828

 

Sometimes the OFBIz code itself is not the culprit. OFBiz relies on many Java librairies, and if one of them has a flaw we can't always wait it's fixed to warn and protect our users. This is for instance what happened with the 2015 infamous Java serialization vulnerability. OFBiz was affected by 2 librairies: Apache Commons Collections and Apache Groovy . As you can see at Unable to render Jira issues macro, execution error. , we waited the Commons Collections update to fix the issue, because it was not much disclosed then.

But with the article above the buzz began to spread and we could not wait to be able to update Groovy. So a temporary workaround was adopted as explained in Unable to render Jira issues macro, execution error. . Since then OFBIZ-6568 has been fixed and the temporary workaround for Groovy is now unnecessary.

RMI and other risks

You were though still at risk if you used RMI, JNDI, JMX or Spring and maybe other Java classes we don't use OOTB in OFBiz. So the PMC decided to comment out RMI OOTB  Unable to render Jira issues macro, execution error. . But we could do nothing to prevent the other possiblities (not concerned OOTB). Note also that in the last release of the R12.04 branch (12.04.06) RMI is not deactivated so you should use the recommended remediation below.

We also decided to provide a simple way to protect OFBiz instances from all possible Java serialization vulnerabilities. While working on the serialization vulnerability, I stumbled upon this article "Closing the open door of java object serialization" and decided notsoserial was the solution we needed. It's now embedded in OFBiz and called by all running Gradle tasks. It easily protects you from all possible serialization vulnerabilities as explained in the notsoserial projectThe idea is simple: initially you don't know what to put in your whitelist because there are some objects in OFBiz you need to put there, plus the ones you add yourself. So you initially use an empty whitelist and with the dryrun option you specify a file where the serialized objects are listed. Then you can continuously fill your whitelist to keep things secure. You can use the trace option to get a better idea of where and why an object is serialized.

OWASP article (with good references at bottom)

This OWASP article is generic but simple enough to well understand the issue

  • No labels